-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2005-08-15 Security Update 2005-007
Security Update 2005-007 is now available and delivers the following
security enhancements:
Apache 2
CVE-ID: CAN-2005-1344
Available for: Mac OS X Server v10.3.9
Impact: The htdigest program contains a buffer overflow, which if
used improperly in a CGI application, could allow a remote system
compromise.
Description: The htdigest program could be used in a CGI application
to manage user access controls to a web server. htdigest contains a
buffer overflow. This update fixes the buffer overflow in htdigest.
Apple does not provide any CGI applications that use the htdigest
program. Apache 2 ships only with Mac OS X Server, and is off by
default. This issue was fixed for Apache 1.3 in Security Update
2005-005. Credit to JxT of SNOsoft for reporting this issue.
Apache 2
CVE-ID: CAN-2004-0942, CAN-2004-0885
Available for: Mac OS X Server v10.3.9
Impact: Multiple security issues in Apache 2.
Description: The Apache Group fixed two vulnerabilities between
versions 2.0.52 and 2.0.53. The Apache Group security page for Apache
2 is located at
http://httpd.apache.org/security/vulnerabilities_20.html. The
previously available version of Apache 2 was 2.0.52. Apache 2 is
updated to version 2.0.53. Apache 2 ships only with Mac OS X Server,
and is off by default.
Apache 2
CVE-ID: CAN-2004-1083, CAN-2004-1084
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2
Impact: Apache 2 example configurations does not fully block access
to resource forks, ".ht" files, or ".DS_Store" files.
Description: Apache 2 ships only with Mac OS X Server, and is off by
default. It is important that administrators who enable this server
manually are aware of the files that should be blocked to avoid
security exposures. A default Apache 2 configuration blocks access to
files starting with ".ht" in a case sensitive way. The Apple HFS+
filesystem performs file access in a case insensitive way and maps
resource forks of files to path names. The Finder may also create
.DS_Store files containing the names of files in locations used to
serve web pages. This update modifies the sample Apache 2
configuration to show how to restrict access to these files and
resource forks. This issue was fixed for Apache 1.3 in Security
Update 2004-12-02. Additional information is provided in
http://docs.info.apple.com/article.html?artnum=300422
AppKit
CVE-ID: CAN-2005-2501
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: Opening a malicious rich text file could lead to arbitrary
code execution.
Description: A buffer overflow in the handling of maliciously crafted
rich text files could lead to arbitrary code execution. This update
prevents the buffer overflow from occuring.
AppKit
CVE-ID: CAN-2005-2502
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: Opening a maliciously crafted Microsoft Word .doc file could
result in arbitrary code execution.
Description: A buffer overflow in AppKit that is responsible for
reading Word documents could allow arbitrary code execution. Only
applications such as TextEdit that use AppKit to open Word documents
are vulnerable. Microsoft Word for Mac OS X is not vulnerable. This
update prevents the buffer overflow.
AppKit
CVE-ID: CAN-2005-2503
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: A malicious user with physical access to a system could
create additional local accounts.
Description: A malicious user who has full physical access to a
system could create additional accounts by forcing an error
condition. This update prevents the error conditions from occurring
at the login window.
Bluetooth
CVE-ID: CAN-2005-2504
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: The System Profiler information about whether or not a
Bluetooth device requires authentication is misleading
Description: Selecting "Require pairing for security" in Bluetooth
preferences correctly sets the device to require authentication, but
in System Profiler the device is labeled with "Requires
Authentication: No". This update changes System Profiler to
accurately reflect the Bluetooth security settings. This issue does
not affect systems prior to Mac OS X 10.4. Credit to John M. Glenn of
San Francisco for reporting this issue.
CoreFoundation
CVE-ID: CAN-2005-2505
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: Buffer overflow via a command line argument for applications
using the CoreFoundation framework.
Description: The incorrect handling of a command line argument within
the CoreFoundation framework can result in a buffer overflow that may
be used to execute arbitrary code. This issue has been addressed by
improved handling of command line arguments. This issue does not
affect Mac OS X 10.4. Credit to David Remahl of www.remahl.se/david
for reporting this issue.
CoreFoundation
CVE-ID: CAN-2005-2506
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: Passing a malformed date to the CoreFoundation framework can
cause applications to stall.
Description: The parsing of Gregorian dates in the CoreFoundation
framework is vulnerable to an algorithmic complexity attack that
could result in a denial of service. This update modifies the
algorithm to parse all valid dates within a fixed processing time.
Credit to David Remahl of www.remahl.se/david for reporting this
issue.
CUPS
CVE-ID: CAN-2005-2525, CAN-2005-2526
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: The CUPS printing service will not print unless it is
restarted.
Description: When handling multiple, simultaneous, print jobs the
CUPS printing service can stop printing because it incorrectly tracks
open file descriptors. In addition, if CUPS receives a partial IPP
request and a client terminates the connection, the printing service
will then consume all available CPU. If the service is restarted then
printing will resume. This update corrects the handling of multiple,
simultaneous print jobs and partial requests.
Directory Services
CVE-ID: CAN-2005-2507
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2
Impact: A buffer overflow in Directory Services could lead to remote
execution of arbitrary code.
Description: A buffer overflow in the handling of authentication can
lead to arbitrary code execution by a remote attacker. This update
prevents the buffer overflow from occurring.
Directory Services
CVE-ID: CAN-2005-2508
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: The privileged tool dsidentity has several security flaws
that can result in non-administrative users adding or removing
identity user accounts in Directory Services.
Description: This update addresses this issue by removing dsidentity
and its documentation. This issue does not affect systems prior to
Mac OS X 10.4. Credit to kf_lists[at]digitalmunition[dot]com and Neil
Archibald of Suresec LTD for reporting this issue.
Directory Services
CVE-ID: CAN-2005-2519
Available for: Mac OS X Server v10.3.9
Impact: Insecure temporary file creation could lead to a local
privilege escalation.
Description: slpd insecurely creates a root-owned file in the
world-writable /tmp directory. This update moves the creation of the
file to a directory that is not world-writable. This issue does not
affect Mac OS X v10.4.
HItoolbox
CVE-ID: CAN-2005-2513
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: VoiceOver may read content from secure input fields.
Description: Under certain circumstances, secure input fields may be
read by VoiceOver services. This update stops VoiceOver from exposing
the content of these fields. This issue does not affect systems prior
to Mac OS X v10.4.
Kerberos
CVE-ID: CAN-2004-1189
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: An authenticated user could execute arbitrary code on the KDC
host, compromising a Kerberos realm.
Description: A heap buffer overflow in password history handling code
could be exploited to execute arbitrary code on a Key Distribution
Center(KDC). This issue does not affect Mac OS X 10.4. Credit to the
MIT Kerberos team for reporting this isue. Their advisory for this
vulnerability is located at
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
Kerberos
CVE-ID: CAN-2005-1174, CAN-2005-1175, CAN-2005-1689, CERT VU#885830
VU#259798 VU#623332
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Multiple buffer overflow vulnerabilities could result in
denial of service or remote compromise of a KDC.
Description: This update upgrades Kerberos for Macintosh to version
5.5.1, which contains fixes for this issue. The Kerberos security
advisories for these issues are located at
http://web.mit.edu/kerberos/www/advisories/
Kerberos
CVE-ID: CAN-2005-2511
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Kerberos enabled logins when using LDAP can result in root
compromise.
Description: When Kerberos authentication is enabled in addition to
LDAP, it was possible to gain access to a root Terminal window.
Kerberos authentication has been updated to prevent this situation.
This issue does not affect systems prior to Mac OS X v10.4. Credit to
Jim Foraker of Carnegie Mellon University and colleagues at
MacEnterprise.Org for reporting this issue.
loginwindow
CVE-ID: CAN-2005-2509
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: A user can gain access to other logged-in accounts if Fast
User Switching is enabled.
Description: An error in the handling of Fast User Switching can
allow a local user who knows the password for two accounts to log
into a third account without knowing the password. This update
corrects the authentication error. This issue does not affect systems
prior to Mac OS X 10.4. Credit to Sam McCandlish for reporting this
issue.
Mail
CVE-ID: CAN-2005-2512
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Loss of privacy due to Mail loading remote images in HTML
emails.
Description: When Mail.app is used to print or forward an HTML
message, it will attempt to load remote images even if a user's
preferences disallow it. As this network traffic is not expected, it
may be considered a privacy leak. This update addresses the issue by
having Mail.app only load remote images in HTML messages when the
preferences allow it. This issue does not affect systems prior to Mac
OS X v10.4. Credit to Brad Miller of CynicalPeak and John Pell of
Foreseeable Solutions for reporting this issue.
MySQL
CVE-ID: CAN-2005-0709, CAN-2005-0710, CAN-2005-0711
Available for: Mac OS X Server v10.3.9
Impact: Multiple vulnerabilities in MySQL including arbitrary code
execution by remote authenticated users.
Description: MySQL is updated to version 4.0.24 to address several
issues. This does not affect systems running Mac OS X v10.4 as Tiger
shipped with MySQL version 4.1.10a, which is patched against this
issue. The MySQL announcement for version 4.0.24 is located at
http://dev.mysql.com/doc/mysql/en/news-4-0-24.html
OpenSSL
CVE-ID: CAN-2004-0079, CAN-2004-0112
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: Multiple denial of service vulnerabilities in OpenSSL.
Description: OpenSSL is updated to version 0.9.7g to address several
issues. The OpenSSL advisory for these issues is located at
http://www.openssl.org/news/secadv_20040317.txt
ping
CVE-ID: CAN-2005-2514
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: A buffer overflow could result in local privilege escalation
and arbitrary code execution.
Description: The ping utility is vulnerable to a buffer overflow.
This update prevents the buffer overflow from occurring. This issue
does not affect systems running Mac OS X v10.4. Credit to Ilja van
Sprundel of Suresec LTD for reporting this issue.
QuartzComposerScreenSaver
CVE-ID: CAN-2005-2515
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Users could open web pages while the RSS Visualizer screen
saver is locked.
Description: It is possible to open displayed links from the RSS
Visualizer in the background when the screen saver is configured to
require a password. This update prevents the RSS Visualizer screen
saver from opening a URL if a password is required to exit the screen
saver. Credit to Jay Craft of GrooVault Entertainment, LLC for
reporting this issue.
Safari
CVE-ID: CAN-2005-2516
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: Clicking on a link in a maliciously-crafted rich text file in
Safari could lead to arbitrary command execution.
Description: Safari renders rich text content using code that allows
URLs to be called directly, which bypasses the normal browser
security checks. This update addresses the issue by handling all
links in rich text through Safari.
Safari
CVE-ID: CAN-2005-2517
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.2, Mac OS X Server v10.4.2
Impact: Information can be inadvertently submitted to the wrong site.
Description: When submitting forms in Safari on an XSL formatted
page, data is sent to the next page browsed. This update addresses
the issue by ensuring that form contents are submitted correctly.
Credit to Bill Kuker for reporting this issue.
SecurityInterface
CVE-ID: CAN-2005-2520
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Recently-used passwords are visible via the password
assistant.
Description: The password assistant provides an easy mechanism for
selecting a good password. If an administrator uses the password
assistant while adding multiple accounts, they will be able to view
previously suggested passwords. This only occurs when password
assistant is used more than once from the same process. This update
addresses the issue by resetting the suggested password list each
time the password assistant is displayed. This issue does not affect
systems prior to Mac OS X v10.4. Credit to Andrew Langmead of
Boston.com for reporting this issue.
servermgrd
CVE-ID: CAN-2005-2518
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2
Impact: A buffer overflow in servermgrd could lead to remote
execution of arbitrary code.
Description: A buffer overflow in the handling of authentication can
lead to arbitrary code execution by a remote attacker. This update
prevents the buffer overflow from occurring.
servermgr_ipfilter
CVE-ID: CAN-2005-2510
Available for: Mac OS X Server v10.4.2
Impact: Certain firewall policies created with the Server Admin tool
are not always written to the Active Rules.
Description: When using multiple subnets and Address Groups, the
firewall rules are not always written to the Active Rules depending
on the order in which the IP subnets were entered into the Address
Group. This update addresses the issue by generating correct rules
irrespective of any ordering within the Address Group. This issue
does not affect systems prior to Mac OS X 10.4. Credit to Matt
Richard of Franklin & Marshall College and Chris Pepper of The
Rockefeller University for reporting this issue.
SquirrelMail
CVE-ID: CAN-2005-1769, CAN-2005-2095
Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.2
Impact: Multiple vulnerabilities in SquirrelMail including cross-site
scripting and SquirrelMail user preference modification
Description: There are multiple vulnerabilities in SquirreMail prior
to version 1.4.5. These fixes address cross-site scripting and an
exposure that may allow attackers to modify user preferences. This
update upgrades SquirrelMail to version 1.4.5. For more information
http://www.squirrelmail.org
traceroute
CVE-ID: CAN-2005-2521
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: A buffer overflow could result in local privilege escalation
and arbitrary code execution.
Description: The traceroute utility is vulnerable to a buffer
overflow. This update prevents the buffer overflow from occurring.
This issue does not affect systems running Mac OS X v10.4. Credit to
Ilja van Sprundel of Suresec LTD for reporting this issue.
WebKit
CVE-ID: CAN-2005-2522
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Clicking on a link in a maliciously-crafted PDF file in
Safari could lead to arbitrary command execution.
Description: Safari renders PDF content using code that allows URLs
to be called directly, which bypasses the normal browser security
checks. This Safari issue does not affect systems prior to Mac OS X
v10.4. This update addresses the issue by handling all links in PDF
through Safari.
Weblog Server
CVE-ID: CAN-2005-2523
Available for: Mac OS X Server v10.4.2
Impact: Multiple cross-site scripting issues in Weblog Server.
Description: Several cross-site scripting problems were discovered in
the Weblog Server. This update improves the sanitizing of user input
before re-displaying it. This issue does not affect systems prior to
Mac OS X v10.4. Credit to Donnie Werner ( email@hidden ) of
Exploitlabs.com and Atsushi MATSUO for reporting this issue.
X11
CVE-ID: CAN-2005-0605
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: A buffer overflow could result in arbitrary code execution.
Description: An error in LibXPM may allow attackers to execute
arbitrary code via a negative bitmap_unit value that leads to a
buffer overflow. This issue does not affect systems prior to Mac OS X
v10.4.
zlib
CVE-ID: CAN-2005-2096, CAN-2005-1849
Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2
Impact: Applications linked against zlib are susceptible to denial of
service attacks and potential execution of arbitrary code.
Description: By carefully crafting a corrupt compressed data stream,
an attacker can overwrite data structures in a zlib-using
application, resulting in denial of service or possible arbitrary
code execution. This update address the issue by updating zlib to
version 1.2.3.
Security Update 2005-007 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.4.2
The download file is named: "SecUpd2005-007Ti.dmg"
Its SHA-1 digest is: 29bdf6e3336ba5962c105cb5eeec1c34bd0b5dca
For Mac OS X Server v10.4.2
The download file is named: "SecUpdSrvr2005-007Ti.dmg"
Its SHA-1 digest is: 29b29c5efbc7482c22e4ed3f9bc003becd701d04
For Mac OS X v10.3.9
The download file is named: "SecUpd2005-007Pan.dmg"
Its SHA-1 digest is: 602ce07500faecd1a7cf85274321aa406063bd87
For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2005-007Pan.dmg"
Its SHA-1 digest is: 937deb4fd43c5bbce998ea743fd2b5f1fddee772
Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)
iQEVAwUBQwD+i4HaV5ucd/HdAQIcAwgAqUXYWRirRIJxVnANhAWGK7RZnoAqlMC6
AO+bJblFoViVWOqNFpehw2Site24JSJ12ynqPtX8+eMq6XTdF88583JPYs4s5cWJ
Twz4kge9tZQW82ZD6nl4Wi3YP0KWn1Ou10z2v5WtS0ee2/0nAr+wHcVEwroipMF7
oDzKvd5BKBaBBB06uNHtrOG9LLmtSsqbAn1JjTGGoJCzaIgvyD7ceG/xcIrCDBX0
yxbK/dL+hub/+Oh5C4+j1n27xwVVDn5LRrCPkzn5tymFLlaFXgGSPiSCOX8U//Bx
jJJ31PoIRlA/23jvXV80sKpT0F7LiadwUA8Mm/NzECbyWBalN6HdEQ==
=KwXV
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/email@hidden